Recount of Internet-accessible PLCs from Shodan

This recount was done on February 2017 by searching only in Shodan. Of course we could not look for all ICS device vendors nor all products, there are many many left (Moxa, Hirschmann, Westermo, Digi...) but tried to look for the most widespread vendors and devices. However, this table will be updated as soon as I look for other vendors.

In the table, we show the vendor, the family, the specific product(device) and the search term used in shodan. The last column is the number of devices found of that type.

Vendor	Product family	Product	Shodan Search term	# Devices found
Siemens	S7-200 family		port:102 & S7-200	105
		S7-200	port:102 & !S7-200 & 151-	176
			Total(S7-200)	281
	S7-300 family	S7 312	CPU 312 & port:102	0
			!CPU & port:102 & 312-	9
		S7-313	CPU 313 & port:102	254
			!CPU & port:102 & 313-	24
		S7-314	CPU 314 & port:102	210
			!CPU & port:102 & 314-	40
		S7-315	CPU 315 & port:102	450
			!CPU & port:102 & 315-	104
		S7-316	CPU 315 & port:102	0
			!CPU & port:102 & 315-	5
		S7-317	CPU 317 & port:102	60
			!CPU & port:102 & 317-	4
		S7-318	CPU 318 & port:102	103
			!CPU & port:102 & 318-	6
		S7-319	CPU 319 & port:102	35
			!CPU & port:102 & 319-	0
			Total (Series 300):	1319
	S7-400 family	S7-412	!CPU & port:102 & 412-	8
		S7-414	!CPU & port:102 & 414-	7
			Total (Series 400):	15
	S7-1200 family
		S7-1211	!CPU & port:102 & 211	25
		S7-1212	!CPU & port:102 & 212	236
		S7-1214	!CPU & port:102 & 214	544
		S7-1215	!CPU & port:102 & 215	58
		S7-1217	!CPU & port:102 & 217	1
			Total (S7-1200)	864
Schneider Electric	Modicon Family M-221
		TM221CE24T	TM221CE24T	28
		TM221CE24R	TM221CE24R	15
		TM221CE16T	TM221CE16T	35
		TM221CE16R	TM221CE16R	25
		TM221ME16R	TM221ME16R	46
		TM221ME32TK	TM221ME32TK	13
		TM221CE40T	TM221CE40T	112
		TM221CE40R	TM221CE40R	68
			Total (M-221):	342
	M-241
		TM241CEC24R	TM241CEC24R	3
		TM241CE24R	TM241CE24R	8
		TM241CE24T_U	TM241CE24T_U	14
		TM241CEC24T_U	TM241CEC24T_U	27
		TM241CE40R	TM241CE40R	17
		TM241CE40T_U	TM241CE40T_U	18
			Total (M-241):	87
	M-251
		TM251MESC	TM251MESC	3
		TM251MESE	TM251MESE	23
			Total (M-241):	26
	M-258
		TM258LF42DR	TM258LF42DR 1	1
	M-340		port:502 & BMX P34
		BMX P34 2020		587
		BMX NOE 0100		280
		BMX NOE 0110		10
		BMX P3420302		45
		BMX P342030		6
		BMX P341000		2
		BMX PRA0100		3
		BMX NOR 0200		1
			Total (M-340)	934
	M-580		port 502 & BME P58 5	5
	TSX Premium Family		port 502 & !BMX !BME TSX	109
			port 502 & !BMX !BME !TSX & TSXETY4103	65
			Total (TSX Premium): 174	174
	Modicon Momentum
		CBU 98090	CBU 98090	32
		CBU 98091	CBU 98091	6
			Total (Momentum): 38	38
Allen Bradley	CompactLogix	CompactLogix 1769	port:44818 & rockwell & 1769	1339
Rockwell		CompactLogix 1756	port:44818 & rockwell & 1756	222
		CompactLogix 1747	port:44818 & rockwell & 1747	182
		CompactLogix 1761	port:44818 & rockwell & 1761	129
		CompactLogix 1768	port:44818 & rockwell & 1761	39
	Micro Family			2531
	Other			1041
			Total (Allen Bradley)	5483
Phoenix Contact	ILC
		ILC 171	port:1962 ILC 171	19
		ILC 150	port:1962 ILC 150	112
		ILC 151	port:1962 ILC 151	191
		ILC 191	port:1962 ILC 191	20
		ILC 130		26
		ILC 131	port:1962 ILC 131	35
		ILC 170	port:1962 ILC 170	9
		ILC 190	port:1962 ILC 190	5
		ILC 330	port:1962 ILC 330	7
		ILC 170		9
		ILC 370		5
		ILC 350		6
			Total (Phoenix Contact)	444
Invensys			Invensys
			Total (Invensys)	61
ABB	ABB Stotz
		ABB Stotz Kontakt 33	ABB Stotz Kontakt 33	4
		ABB 33	!Stotz port:"502"	14
		ABB Stotz Kontakt 29	ABB Stotz Kontakt 29	18
		ABB 29	!Stotz port:"502"	4
		ABB Stotz Kontakt 34	ABB Stotz Kontakt 34	30
		ABB 34	!Stotz port:"502"	8
		ABB Stotz Kontakt 37	ABB Stotz Kontakt 37	34
		ABB 37	!Stotz port:"502"	34
			ABB 43	1
			Total (ABB)	146
Delta-V
			Total (Delta-V)	21
Wago			wago port:"44818"	38
			wago & snmp	35
		Wago 750-880	wago 750-880	18
		Wago 750-881	Wago 750-881	36
		Wago 750-873	Wago 750-873	10
		Wago 750-841	Wago 750-841	8
		Wago 750-341	Wago 750-341	1
			Total (Wago)	73
Opto-22
Beckhoff			beckhoff & port:4840	4
			Total (Beckhoff)	4
Lantronix
		Lantronix UDS1100	Lantronix UDS1100	2763
		Lantronix UDS2100	Lantronix UDS2100	265
		Lantronix SLS	Lantronix SLS	1592
		Lantronix SLSLP	Lantronix SLSLP	272
		Lantronix xDirect 232	Lantronix xDirect 232	1126
		Lantronix MSS100	Lantronix MSS100	150
		Other	Lantronix	19738
			Total (Lantronix)	24013
Omron			omron & port:44818	296
			port:9600 & cj2m	395
			Total (Omron)	691
Yokogawa			yokogawa & port:44818
			Total (Yokogawa)	9
General Electric			port:18245,18246 product:"general electric"
			Total (GE)	51
Honeypots
			Conpot	61

The Unity (UMAS) protocol (Part V)

This is the fourth article of a series of entries in this blog about the Unity protocol, used by Schneider Electric devices for configuration purposes.

INDEX

Part I. Introduction, initialization phase, functions codes used in the initialization phase

Part II. Function codes used to read and write memory values from/to memory

Part III. Function codes used to deal with logic programs, and work with the PLC

Part IV. Other extra function codes

Part V. Modicon Premium PLCs specific function codes

In this part we'll talk about specific function codes for Schneider Electric's Modicon Premium PLCs.

---

Only for Schneider Premium Modicon PLCs there are a number of function codes. For instance:

Read IO Object (“01 70”) and Read IO Module ("01 73")

These function codes allow Unity to read the Discrete Premium I/O Modules (More information on them in this link. These modules can be read normally, for status or when an error occurs in the module.

Normal requests

To be able to read an IO module, first you need to put it in "read status". To do that a "01 73" request need to be sent. This is the structure of that request:

• NMOD is generally 4 or 8, depending on the size of the IO Module. If NMOD is 4, next 2 WORDs (4 bytes) indicate which module we are referring. If NMOD is 8, next 4 Words (8 bytes) indicate the IO Module number & Offset. Therefore the NMOD field is kind of a length field for the IO Module Offset.
• WORD 0, WORD 1, WORD 2, WORD 3. Indicate the Premium IO Module number & Offset.

Response

In the response the first byte can be value from 0 to 4. The last two bits in this byte have this meaning:

• Last bit: Module Present (True/False)
• 7th bit: Module configured (True/False)

Next 4 bytes received store the Module Identity, and next 4 bytes are useless.

9th byte indicates the module version, and 10th byte indicates LEDs states.

Read IO Object

An IO Object is a value inside an IO Module. Function Code 0x70 allows Unity to read IO Module Objects. To be able to read these object, first, the module need to be set as "read". To do that a 0x73 request like the previously seen need to be sent prior to sending a 0x70 request.

An IO Object can be read normally, for status or for an module in error. The normal request structure is the following:

In this request the field in blue is the "Channel" and the second Word of the orange field is the "IO Object". A FF value means "all".

When the request is done to read the IO Object status, the request is the following:

Green field can have the values:

• 01 10: When a channel exchange for an IO Object is requested.
• 01 40: When an IO Object is read "For explicit".

And finally when the request is for a module in error the request is the following:

Response

The response for a 0x70 request indicate the input Number, Output Number, State and Structure of the module. If the request was made "For status" only the status of the module is returned.

Write IO Object (“01 71”)

The structure of a IO Object write request is the following:

---

Read Ethernet Master Data(“01 39”)

Clients running Unity can access or download applications to devices on distributed control systems. The ethernet Master Data is the network configuration information for distributed control systems. It can be read, in Schneider Modicon premium device with request "01 39".

The "Read Ethernet Master Data" request has the following structure:

Response

• First six bytes of the response have an unknown meaning.
• Seventh byte is 0x22 (unless an error in device).
• Next 4 bytes are the 4 bytes of the device's IP Address.
• Next 4 bytes are the 4 bytes of the device's Network Mask.
• Next 4 bytes are the 4 bytes of the device's default gateway.

In the next entry the last function codes found of this protocol will be explained.